How The Copyright Industry Made Your Computer Less Safe

from the welcome-to-the-world-of-drm dept

I've already written one piece about Cory Doctorow's incredible column at the Guardian concerning digital rights management and anti-circumvention, in which I focused on how the combination of DRM and anti-circumvention laws allows companies to make up their own copyright laws in a way that removes the rights of the public. Those rights are fairly important, and the reason we have them encoded within our copyright laws is to make sure that copyright isn't abused to stifle speech. But, anti-circumvention laws combined with DRM allow the industry to route around that entirely.

But there's a second important point in Doctorow's piece that is equally worth highlighting, and it's that the combination of DRM and anti-circumvention laws make all of our computers less safe. For this to make sense, you need to understand that DRM is really a form of security software.

The entertainment industry calls DRM "security" software, because it makes them secure from their customers. Security is not a matter of abstract absolutes, it requires a context. You can't be "secure," generally -- you can only be secure from some risk. For example, having food makes you secure from hunger, but puts you at risk from obesity-related illness.

DRM is designed on the presumption that users don't want it, and if they could turn it off, they would. You only need DRM to stop users from doing things they're trying to do and want to do. If the thing the DRM restricts is something no one wants to do anyway, you don't need the DRM. You don't need a lock on a door that no one ever wants to open.

DRM assumes that the computer's owner is its adversary.

But, to understand security, you have to recognize that it's an ever-evolving situation. Doctorow quotes Bruce Schneier in pointing out that security is a process, not a product. Another way of thinking about it is that you're only secure until you're not -- and that point is going to come eventually. As Doctorow notes, every security system relies on people probing it and finding and reporting new vulnerabilities. That allows the process of security to keep moving forward. As vulnerabilities are found and understood, new defenses can be built and the security gets better. But anti-circumvention laws make that almost impossible with DRM, meaning that the process of making security better stops -- while the process of breaking it doesn't.

Here is where DRM and your security work at cross-purposes. The DMCA's injunction against publishing weaknesses in DRM means that its vulnerabilities remain unpatched for longer than in comparable systems that are not covered by the DMCA. That means that any system with DRM will on average be more dangerous for its users than one without DRM.

And that leads to very real vulnerabilities. The most famous, of course, is the case of the Sony rootkit. As Doctorow notes, multiple security companies were aware of the nefarious nature of that rootkit, which not only hid itself on your computer and was difficult to delete, but also opened up a massive vulnerability for malware to piggyback on -- something malware writers took advantage of. And yet, the security companies did nothing, because explaining how to remove the rootkit would violate the DMCA.

Given the post-Snowden world we live in today, people are suddenly taking computer security and privacy more seriously than they have in the past -- and that, as Doctorow notes, represents another opportunity to start rethinking the ridiculousness of anti-circumvention laws combined with DRM. Unfortunately, politicians who are way behind on this stuff still don't get it. Recent trade agreements like the TPP and ACTA continue to push anti-circumvention clauses, and require them around the globe, thereby weakening computer security.

This isn't just an issue for the "usual copyright people." This is about actually making sure the computers we use are as secure and safe as they can be. Yet, in a world with anti-circumvention provisions, that's just not possible. It's time to fix that.